Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Fedora to allow the installation of packages, without root privileges? - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Fedora to allow the installation of packages, without root privileges?

A "bug" created back in November against the latest Fedora release (12) indicates that, through the GUI, desktop users of the Fedora system are able to install signed packages without root privileges or root authentication.  Yes, you just read that correctly.  (I'll give you a second re-read that sentence so I don't have to retype it.)  Yes, "it's a feature, not a bug".

In all my travels I've only ran across one company, ever, that has Fedora rolled out as an enterprise operating system on every desktop.  But what kind of security implications does this have?  I obviously don't have to explain why this is (may be) a bad idea to the readers of the ISC, as we are all security minded people.  

Now, the restrictions.  This change does not affect yum on the command line.  This only affects installing things through the GUI.  (Not that helps any, as most users will be running the GUI anyway.)  You can also disable it.

create a file in:

/var/lib/polkit-1/localauthority/20-org.d  (you can name if file anything you want)

and include the following:

[NoUsersInstallAnythingWithoutPassword]
Identity=unix-user:someone;unix-user:someone_else
Action=org.freedesktop.packagekit.*
ResultAny=auth_admin
ResultInactive=auth_admin
ResultActive=auth_admin

(the above came from the release notes for Fedora 12, found here.  

Also, I found this as a solution:

pklalockdown --lockdown org.freedesktop.packagekit.package-install

Currently in the bug, there is some debate about if they should revert this feature.  So, this may be just temporary.  

-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler

Joel

454 Posts
ISC Handler
Remarkable that it wouldn't at least be turned off by default, feature or not.
Dean

135 Posts
Two notes.

1. The pklalockdown command is deprecated and can be removed as early as the next package update, i.e., by the time anyone reads this note (or not).

2. "Identity=unix-user:someone" only changes the policy for a person with the UID "someone." If you want (and you *should* want) to change it for everyone (other than root), then you must specify "Identity=unix-user:*"
Allen

4 Posts
Personally I'm frightened by the fact that red hat is arguing for this feature as it is currently implemented long and at length in the huge comment tree for this bug (as well as mailing list thread talking about this) - This should have been default off, from the beginning.
Anonymous
This seems to have been changed to require the root password in this latest email.
https://www.redhat.com/archives/fedora-devel-list/2009-November/msg01445.html
Anonymous

Sign Up for Free or Log In to start participating in the conversation!